TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / bfa3c9a85f7e794e4cf821244bb58d6c86034efc / . / library / aes.c
blob: 0286a7fbf1ed378c35649130b049a1f18fff5697 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]44#if !defined(POLARSSL_AES_ALT)
45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46/*
47 * 32-bit integer manipulation macros (little endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49#ifndef GET_UINT32_LE
50#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]52 (n) = ( (uint32_t) (b)[(i) ] ) \
53 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef PUT_UINT32_LE
60#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
62 (b)[(i) ] = (unsigned char) ( (n) ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66}
67#endif
68
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]69#if defined(POLARSSL_PADLOCK_C) && \
70 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]71static int aes_padlock_ace = -1;
72#endif
73
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]74#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75/*
76 * Forward S-box
77 */
78static const unsigned char FSb[256] =
79{
80 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112};
113
114/*
115 * Forward tables
116 */
117#define FT \
118\
119 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183
184#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]185static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186#undef V
187
188#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]189static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190#undef V
191
192#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]193static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194#undef V
195
196#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
200#undef FT
201
202/*
203 * Reverse S-box
204 */
205static const unsigned char RSb[256] =
206{
207 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239};
240
241/*
242 * Reverse tables
243 */
244#define RT \
245\
246 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310
311#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]312static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef V
314
315#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]316static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317#undef V
318
319#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]320static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321#undef V
322
323#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325#undef V
326
327#undef RT
328
329/*
330 * Round constants
331 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 0x00000001, 0x00000002, 0x00000004, 0x00000008,
335 0x00000010, 0x00000020, 0x00000040, 0x00000080,
336 0x0000001B, 0x00000036
337};
338
339#else
340
341/*
342 * Forward S-box & tables
343 */
344static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static uint32_t FT0[256];
346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350/*
351 * Reverse S-box & tables
352 */
353static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static uint32_t RT0[256];
355static uint32_t RT1[256];
356static uint32_t RT2[256];
357static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Round constants
361 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364/*
365 * Tables generation code
366 */
367#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370
371static int aes_init_done = 0;
372
373static void aes_gen_tables( void )
374{
375 int i, x, y, z;
376 int pow[256];
377 int log[256];
378
379 /*
380 * compute pow and log tables over GF(2^8)
381 */
382 for( i = 0, x = 1; i < 256; i++ )
383 {
384 pow[i] = x;
385 log[x] = i;
386 x = ( x ^ XTIME( x ) ) & 0xFF;
387 }
388
389 /*
390 * calculate the round constants
391 */
392 for( i = 0, x = 1; i < 10; i++ )
393 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 x = XTIME( x ) & 0xFF;
396 }
397
398 /*
399 * generate the forward and reverse S-boxes
400 */
401 FSb[0x00] = 0x63;
402 RSb[0x63] = 0x00;
403
404 for( i = 1; i < 256; i++ )
405 {
406 x = pow[255 - log[i]];
407
408 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y ^ 0x63;
413
414 FSb[i] = (unsigned char) x;
415 RSb[x] = (unsigned char) i;
416 }
417
418 /*
419 * generate the forward and reverse tables
420 */
421 for( i = 0; i < 256; i++ )
422 {
423 x = FSb[i];
424 y = XTIME( x ) & 0xFF;
425 z = ( y ^ x ) & 0xFF;
426
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]427 FT0[i] = ( (uint32_t) y ) ^
428 ( (uint32_t) x << 8 ) ^
429 ( (uint32_t) x << 16 ) ^
430 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 FT1[i] = ROTL8( FT0[i] );
433 FT2[i] = ROTL8( FT1[i] );
434 FT3[i] = ROTL8( FT2[i] );
435
436 x = RSb[i];
437
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]438 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
446 }
447}
448
449#endif
450
451/*
452 * AES key schedule (encryption)
453 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]454int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]457 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]459#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 if( aes_init_done == 0 )
461 {
462 aes_gen_tables();
463 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 }
466#endif
467
468 switch( keysize )
469 {
470 case 128: ctx->nr = 10; break;
471 case 192: ctx->nr = 12; break;
472 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]473 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477 if( aes_padlock_ace == -1 )
478 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479
480 if( aes_padlock_ace )
481 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]484 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]486#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
487 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame^]488 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]489#endif
490
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 for( i = 0; i < (keysize >> 5); i++ )
492 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]493 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]494 }
495
496 switch( ctx->nr )
497 {
498 case 10:
499
500 for( i = 0; i < 10; i++, RK += 4 )
501 {
502 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]503 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
504 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
505 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
506 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507
508 RK[5] = RK[1] ^ RK[4];
509 RK[6] = RK[2] ^ RK[5];
510 RK[7] = RK[3] ^ RK[6];
511 }
512 break;
513
514 case 12:
515
516 for( i = 0; i < 8; i++, RK += 6 )
517 {
518 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]519 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
520 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
521 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
522 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523
524 RK[7] = RK[1] ^ RK[6];
525 RK[8] = RK[2] ^ RK[7];
526 RK[9] = RK[3] ^ RK[8];
527 RK[10] = RK[4] ^ RK[9];
528 RK[11] = RK[5] ^ RK[10];
529 }
530 break;
531
532 case 14:
533
534 for( i = 0; i < 7; i++, RK += 8 )
535 {
536 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]537 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
538 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
539 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
540 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
542 RK[9] = RK[1] ^ RK[8];
543 RK[10] = RK[2] ^ RK[9];
544 RK[11] = RK[3] ^ RK[10];
545
546 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]547 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
548 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
549 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
550 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551
552 RK[13] = RK[5] ^ RK[12];
553 RK[14] = RK[6] ^ RK[13];
554 RK[15] = RK[7] ^ RK[14];
555 }
556 break;
557
558 default:
559
560 break;
561 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562
563 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564}
565
566/*
567 * AES key schedule (decryption)
568 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]569int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570{
571 int i, j;
572 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]573 uint32_t *RK;
574 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]575 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576
577 switch( keysize )
578 {
579 case 128: ctx->nr = 10; break;
580 case 192: ctx->nr = 12; break;
581 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]582 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 }
584
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
586 if( aes_padlock_ace == -1 )
587 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
588
589 if( aes_padlock_ace )
590 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
591 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]593 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]595 ret = aes_setkey_enc( &cty, key, keysize );
596 if( ret != 0 )
597 return( ret );
598
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]599#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
600 if( aesni_supports( POLARSSL_AESNI_AES ) )
601 {
602 aesni_inverse_key( (unsigned char *) ctx->rk,
603 (const unsigned char *) cty.rk, ctx->nr );
604 goto done;
605 }
606#endif
607
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608 SK = cty.rk + cty.nr * 4;
609
610 *RK++ = *SK++;
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613 *RK++ = *SK++;
614
615 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
616 {
617 for( j = 0; j < 4; j++, SK++ )
618 {
619 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
620 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
621 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
622 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
623 }
624 }
625
626 *RK++ = *SK++;
627 *RK++ = *SK++;
628 *RK++ = *SK++;
629 *RK++ = *SK++;
630
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]631done:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]633
634 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635}
636
637#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
638{ \
639 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
640 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
641 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
642 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
643 \
644 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
645 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
646 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
647 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
648 \
649 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
650 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
651 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
652 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
653 \
654 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
655 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
656 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
657 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
658}
659
660#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
661{ \
662 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
663 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
664 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
665 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
666 \
667 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
668 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
669 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
670 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
671 \
672 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
673 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
674 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
675 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
676 \
677 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
678 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
679 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
680 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
681}
682
683/*
684 * AES-ECB block encryption/decryption
685 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]686int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]688 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689 unsigned char output[16] )
690{
691 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]692 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]694#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]695 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]696 return( aesni_crypt_ecb( ctx, mode, input, output ) );
697#endif
698
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]699#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]700 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701 {
702 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]703 return( 0 );
704
705 // If padlock data misaligned, we just fall back to
706 // unaccelerated mode
707 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708 }
709#endif
710
711 RK = ctx->rk;
712
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]713 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
714 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
715 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
716 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717
718 if( mode == AES_DECRYPT )
719 {
720 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
721 {
722 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
723 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
724 }
725
726 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
727
728 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]729 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
730 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
731 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
732 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733
734 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]735 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
736 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
737 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
738 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]739
740 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]741 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
742 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
743 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
744 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745
746 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]747 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
748 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
749 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
750 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751 }
752 else /* AES_ENCRYPT */
753 {
754 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
755 {
756 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
757 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
758 }
759
760 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
761
762 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]763 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
764 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
765 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
766 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767
768 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]769 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
770 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
771 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
772 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773
774 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]775 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
776 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
777 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
778 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779
780 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]781 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
782 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
783 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
784 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]785 }
786
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]787 PUT_UINT32_LE( X0, output, 0 );
788 PUT_UINT32_LE( X1, output, 4 );
789 PUT_UINT32_LE( X2, output, 8 );
790 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]791
792 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]793}
794
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]795#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796/*
797 * AES-CBC buffer encryption/decryption
798 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]799int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]800 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]801 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]803 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804 unsigned char *output )
805{
806 int i;
807 unsigned char temp[16];
808
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]809 if( length % 16 )
810 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
811
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]812#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]813 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814 {
815 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]816 return( 0 );
817
818 // If padlock data misaligned, we just fall back to
819 // unaccelerated mode
820 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]821 }
822#endif
823
824 if( mode == AES_DECRYPT )
825 {
826 while( length > 0 )
827 {
828 memcpy( temp, input, 16 );
829 aes_crypt_ecb( ctx, mode, input, output );
830
831 for( i = 0; i < 16; i++ )
832 output[i] = (unsigned char)( output[i] ^ iv[i] );
833
834 memcpy( iv, temp, 16 );
835
836 input += 16;
837 output += 16;
838 length -= 16;
839 }
840 }
841 else
842 {
843 while( length > 0 )
844 {
845 for( i = 0; i < 16; i++ )
846 output[i] = (unsigned char)( input[i] ^ iv[i] );
847
848 aes_crypt_ecb( ctx, mode, output, output );
849 memcpy( iv, output, 16 );
850
851 input += 16;
852 output += 16;
853 length -= 16;
854 }
855 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]856
857 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]858}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]859#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]861#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862/*
863 * AES-CFB128 buffer encryption/decryption
864 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]865int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]867 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]868 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]869 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]870 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]871 unsigned char *output )
872{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]873 int c;
874 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875
876 if( mode == AES_DECRYPT )
877 {
878 while( length-- )
879 {
880 if( n == 0 )
881 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
882
883 c = *input++;
884 *output++ = (unsigned char)( c ^ iv[n] );
885 iv[n] = (unsigned char) c;
886
887 n = (n + 1) & 0x0F;
888 }
889 }
890 else
891 {
892 while( length-- )
893 {
894 if( n == 0 )
895 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
896
897 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
898
899 n = (n + 1) & 0x0F;
900 }
901 }
902
903 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]904
905 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]906}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]907#endif /*POLARSSL_CIPHER_MODE_CFB */
908
909#if defined(POLARSSL_CIPHER_MODE_CTR)
910/*
911 * AES-CTR buffer encryption/decryption
912 */
913int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]914 size_t length,
915 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]916 unsigned char nonce_counter[16],
917 unsigned char stream_block[16],
918 const unsigned char *input,
919 unsigned char *output )
920{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]921 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]922 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]923
924 while( length-- )
925 {
926 if( n == 0 ) {
927 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
928
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]929 for( i = 16; i > 0; i-- )
930 if( ++nonce_counter[i - 1] != 0 )
931 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]932 }
933 c = *input++;
934 *output++ = (unsigned char)( c ^ stream_block[n] );
935
936 n = (n + 1) & 0x0F;
937 }
938
939 *nc_off = n;
940
941 return( 0 );
942}
943#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]944#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]945
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]946#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947
948#include <stdio.h>
949
950/*
951 * AES test vectors from:
952 *
953 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
954 */
955static const unsigned char aes_test_ecb_dec[3][16] =
956{
957 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
958 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
959 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
960 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
961 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
962 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
963};
964
965static const unsigned char aes_test_ecb_enc[3][16] =
966{
967 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
968 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
969 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
970 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
971 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
972 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
973};
974
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]975#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976static const unsigned char aes_test_cbc_dec[3][16] =
977{
978 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
979 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
980 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
981 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
982 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
983 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
984};
985
986static const unsigned char aes_test_cbc_enc[3][16] =
987{
988 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
989 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
990 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
991 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
992 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
993 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
994};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]995#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]997#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]998/*
999 * AES-CFB128 test vectors from:
1000 *
1001 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1002 */
1003static const unsigned char aes_test_cfb128_key[3][32] =
1004{
1005 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1006 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1007 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1008 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1009 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1010 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1011 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1012 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1013 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1014};
1015
1016static const unsigned char aes_test_cfb128_iv[16] =
1017{
1018 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1019 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1020};
1021
1022static const unsigned char aes_test_cfb128_pt[64] =
1023{
1024 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1025 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1026 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1027 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1028 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1029 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1030 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1031 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1032};
1033
1034static const unsigned char aes_test_cfb128_ct[3][64] =
1035{
1036 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1037 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1038 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1039 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1040 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1041 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1042 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1043 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1044 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1045 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1046 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1047 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1048 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1049 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1050 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1051 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1052 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1053 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1054 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1055 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1056 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1057 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1058 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1059 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1060};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1061#endif /* POLARSSL_CIPHER_MODE_CFB */
1062
1063#if defined(POLARSSL_CIPHER_MODE_CTR)
1064/*
1065 * AES-CTR test vectors from:
1066 *
1067 * http://www.faqs.org/rfcs/rfc3686.html
1068 */
1069
1070static const unsigned char aes_test_ctr_key[3][16] =
1071{
1072 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1073 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1074 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1075 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1076 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1077 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1078};
1079
1080static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1081{
1082 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1084 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1085 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1086 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1087 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1088};
1089
1090static const unsigned char aes_test_ctr_pt[3][48] =
1091{
1092 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1093 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1094
1095 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1096 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1097 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1098 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1099
1100 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1101 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1102 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1103 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1104 0x20, 0x21, 0x22, 0x23 }
1105};
1106
1107static const unsigned char aes_test_ctr_ct[3][48] =
1108{
1109 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1110 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1111 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1112 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1113 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1114 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1115 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1116 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1117 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1118 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1119 0x25, 0xB2, 0x07, 0x2F }
1120};
1121
1122static const int aes_test_ctr_len[3] =
1123 { 16, 32, 36 };
1124#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1125
1126/*
1127 * Checkup routine
1128 */
1129int aes_self_test( int verbose )
1130{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1131 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1132 unsigned char key[32];
1133 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1135#if defined(POLARSSL_CIPHER_MODE_CBC)
1136 unsigned char prv[16];
1137#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1138#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1139 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1140#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1141#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1142 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1143 unsigned char nonce_counter[16];
1144 unsigned char stream_block[16];
1145#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146 aes_context ctx;
1147
1148 memset( key, 0, 32 );
1149
1150 /*
1151 * ECB mode
1152 */
1153 for( i = 0; i < 6; i++ )
1154 {
1155 u = i >> 1;
1156 v = i & 1;
1157
1158 if( verbose != 0 )
1159 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1160 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1161
1162 memset( buf, 0, 16 );
1163
1164 if( v == AES_DECRYPT )
1165 {
1166 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1167
1168 for( j = 0; j < 10000; j++ )
1169 aes_crypt_ecb( &ctx, v, buf, buf );
1170
1171 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1172 {
1173 if( verbose != 0 )
1174 printf( "failed\n" );
1175
1176 return( 1 );
1177 }
1178 }
1179 else
1180 {
1181 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1182
1183 for( j = 0; j < 10000; j++ )
1184 aes_crypt_ecb( &ctx, v, buf, buf );
1185
1186 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1187 {
1188 if( verbose != 0 )
1189 printf( "failed\n" );
1190
1191 return( 1 );
1192 }
1193 }
1194
1195 if( verbose != 0 )
1196 printf( "passed\n" );
1197 }
1198
1199 if( verbose != 0 )
1200 printf( "\n" );
1201
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1202#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1203 /*
1204 * CBC mode
1205 */
1206 for( i = 0; i < 6; i++ )
1207 {
1208 u = i >> 1;
1209 v = i & 1;
1210
1211 if( verbose != 0 )
1212 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1213 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1214
1215 memset( iv , 0, 16 );
1216 memset( prv, 0, 16 );
1217 memset( buf, 0, 16 );
1218
1219 if( v == AES_DECRYPT )
1220 {
1221 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1222
1223 for( j = 0; j < 10000; j++ )
1224 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1225
1226 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1227 {
1228 if( verbose != 0 )
1229 printf( "failed\n" );
1230
1231 return( 1 );
1232 }
1233 }
1234 else
1235 {
1236 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1237
1238 for( j = 0; j < 10000; j++ )
1239 {
1240 unsigned char tmp[16];
1241
1242 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1243
1244 memcpy( tmp, prv, 16 );
1245 memcpy( prv, buf, 16 );
1246 memcpy( buf, tmp, 16 );
1247 }
1248
1249 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1250 {
1251 if( verbose != 0 )
1252 printf( "failed\n" );
1253
1254 return( 1 );
1255 }
1256 }
1257
1258 if( verbose != 0 )
1259 printf( "passed\n" );
1260 }
1261
1262 if( verbose != 0 )
1263 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1264#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1266#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267 /*
1268 * CFB128 mode
1269 */
1270 for( i = 0; i < 6; i++ )
1271 {
1272 u = i >> 1;
1273 v = i & 1;
1274
1275 if( verbose != 0 )
1276 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1277 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1278
1279 memcpy( iv, aes_test_cfb128_iv, 16 );
1280 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1281
1282 offset = 0;
1283 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1284
1285 if( v == AES_DECRYPT )
1286 {
1287 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1288 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1289
1290 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1291 {
1292 if( verbose != 0 )
1293 printf( "failed\n" );
1294
1295 return( 1 );
1296 }
1297 }
1298 else
1299 {
1300 memcpy( buf, aes_test_cfb128_pt, 64 );
1301 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1302
1303 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1304 {
1305 if( verbose != 0 )
1306 printf( "failed\n" );
1307
1308 return( 1 );
1309 }
1310 }
1311
1312 if( verbose != 0 )
1313 printf( "passed\n" );
1314 }
1315
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1316 if( verbose != 0 )
1317 printf( "\n" );
1318#endif /* POLARSSL_CIPHER_MODE_CFB */
1319
1320#if defined(POLARSSL_CIPHER_MODE_CTR)
1321 /*
1322 * CTR mode
1323 */
1324 for( i = 0; i < 6; i++ )
1325 {
1326 u = i >> 1;
1327 v = i & 1;
1328
1329 if( verbose != 0 )
1330 printf( " AES-CTR-128 (%s): ",
1331 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1332
1333 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1334 memcpy( key, aes_test_ctr_key[u], 16 );
1335
1336 offset = 0;
1337 aes_setkey_enc( &ctx, key, 128 );
1338
1339 if( v == AES_DECRYPT )
1340 {
1341 len = aes_test_ctr_len[u];
1342 memcpy( buf, aes_test_ctr_ct[u], len );
1343
1344 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1345
1346 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1347 {
1348 if( verbose != 0 )
1349 printf( "failed\n" );
1350
1351 return( 1 );
1352 }
1353 }
1354 else
1355 {
1356 len = aes_test_ctr_len[u];
1357 memcpy( buf, aes_test_ctr_pt[u], len );
1358
1359 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1360
1361 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1362 {
1363 if( verbose != 0 )
1364 printf( "failed\n" );
1365
1366 return( 1 );
1367 }
1368 }
1369
1370 if( verbose != 0 )
1371 printf( "passed\n" );
1372 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373
1374 if( verbose != 0 )
1375 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1376#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1377
1378 return( 0 );
1379}
1380
1381#endif
1382
1383#endif